Four must-watch areas for higher ed information security


Looming cyberthreats, rapid changes in technology and the evolving role of higher ed CIOs are on the mind of college and university IT officials, thanks in part to high-profile attacks against universities and the increasing importance of IT across campuses as a whole.

Information security has become a special concern and critical part of the IT landscape as schools contend with the need to safeguard sensitive student and faculty data, says Joanna Grama, who directs cybersecurity, IT governance and risk programs for EDUCAUSE.

Grama has a distinct view of IT and cybersecurity issues facing higher ed institutions. In addition to leading a specialty community of higher ed IT leaders within EDUCAUSE, her expertise also extends into other critical information security topics, including data privacy, governance and compliance.

Much of that expertise stems from an earlier career as a lawyer who transitioned to directing information security policy at Purdue University. But she also maintains her credentials as a certified information systems security professional.

Earlier this month, Grama helped spearhead EDUCAUSE’s annual conference for higher ed IT security professionals, a three-day event that brought together hundreds of higher ed IT professionals to digest many of the most pressing trends and changes impacting schools today.

EdScoop recently connected with Grama to discuss the key takeaways and major issues facing higher ed IT professionals going forward. Here’s what she told us stood out to her, based on her most recent discussions with leaders in the field:

Budgets remain critical

EDUCAUSE recently released the results of its annual member survey for 2017 (based on data collected in 2016), which looks at year-over-year trends relating to IT and other areas in U.S. colleges and universities. According to the research, overall IT spending has ticked up slightly during the past four years, and institutions have doubled the average number of dedicated IT security specialists from 2015 to 2016, to two per 10,000 full-time institutional employees.

Despite these trends, overall IT funding remains low, and often inconsistent. While 46 percent of institutions reported a 5 percent or greater increase in spending from 2015 to 2016, another 30 percent reported a decrease in funding of 5 percent or greater.

Information security also comprises a relatively small portion of institutions’ overall IT spending, comprising about 3 percent of the pot, with the lion’s share funding information systems, IT support services, and enterprise infrastructure.

To Grama, that means schools must get smart with how they allocate their limited funding in intelligent and resourceful ways, focusing on areas where it can do the most good, such as increasing end-user awareness programs to prevent phishing and social engineering attempts.

Cybersecurity may be the topic to watch

The rise of global cyberattacks has left higher ed more vulnerable than ever — earlier this year dozens of universities plus local and federal government agencies were compromised over a two month period. Compounding the threat is a lack of end-user awareness, training, and education coupled with limited resources for IT and security departments left to guard against these threats.

And just last week, several universities confirmed they had been hit with the WannaCry ransomeware hack. Chief concerns are how to educate faculty against phishing attacks and developing institution-wide risk management assessments and security policies.

Grama says information security professionals are currently spending a significant amount of time considering the real risks posed by data breaches. A good way to learn best practices, she says, is by connecting with like-minded peers at other institutions who are dealing with the same issues, since, unlike other industries, “We’re not in competition with each other in an information security sense.”

The challenge of being both proactive and reactive

It isn’t enough to be prepared for threats as they arise; now higher ed institutions must be proactive in guarding against threats before they become a problem.

Many schools are now focusing attention on developing comprehensive security policies and developing risk management strategies to help safeguard networks. Others are starting to conduct vulnerability assessments and simulated breaches to test their responses. In general, Grama sees this as part of a larger shift across the landscape as a whole.

“In the information security space overall, we’re moving away from this notion of defend against everything, because at the end of the day that notion is quite limiting,” she says. “Instead, the goal is putting in place proactive controls and processes so that no matter what the threat is you’re prepared to respond and deal with it before it becomes an issue.”

The evolving role of the CISO

Going forward, Grama thinks institutions will spend increasing amounts of time examining leadership roles for a new and changing era. In particular, she points to the evolution of the chief information security officer from an IT-focused position to one where building interdepartmental relationships and taking charge of long-term strategy and purchasing decisions that impact far more than networks and security.

CISO roles, where they exist, often vary between institutions, and some are not given the influence or authority to carry out their jobs effectively. A forthcoming EDUCAUSE research paper on the role of the CISO in higher education shows that the leadership positions to which CISO’s report varies according to institution type and culture.

“I think we’re going to be hearing more about complex landscapes, and I think that’s going to require institutions to continue to evolve their approach to information security,” Grama says. “Keeping in mind you still have to be reactive to many things, but putting in proactive measures to get in front of threats as well. I definitely think we’ll be talking about into the future.”